The Office of the Inspector General, Audit Division, has completed an audit of compliance with standards governing Combined DNA Index System (CODIS) activities at the Oklahoma Central Regional Crime Laboratory (Laboratory).1 The Federal Bureau of Investigation (FBI) began the CODIS Program as a pilot project in 1990. The DNA Identification Act of 1994 (Act) formalized the FBI’s authority to establish a national DNA index for law enforcement purposes.2 The Act authorized the FBI to establish an index of DNA identification records of persons convicted of crimes and analyses of DNA samples recovered from crime scenes. The Act further specified that the indices include only DNA information that is based on analyses performed in accordance with quality assurance standards issued by the FBI.
The FBI implemented CODIS as a distributed database with three hierarchical levels that enables federal, state, and local crime laboratories to compare DNA profiles electronically. The National DNA Index System (NDIS) is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS Program to compare DNA profiles on a national level. NDIS became operational in 1998 and is managed by the FBI as the nation’s DNA database containing DNA profiles uploaded by participating states. DNA profiles originate at the local level, flow upward to the state and national levels, and are compared to determine if a convicted offender can be linked to a crime or if crimes can be linked to each other. Thus, a laboratory’s profiles have to be uploaded to NDIS before the profiles benefit the system as a whole.
The FBI provides CODIS software free-of-charge to any state or local law enforcement laboratory performing DNA analysis. Before a laboratory is allowed to participate at the national level, a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of the CODIS software, and delineates the standards laboratories must meet in order to utilize NDIS.3
The objective of the audit was to determine if the Laboratory was in compliance with standards governing CODIS activities. Specifically, we performed testing to determine if the: (1) Laboratory was in compliance with the NDIS participation requirements; (2) Laboratory was in compliance with the quality assurance standards issued by the FBI; and (3) Laboratory’s DNA profiles in CODIS databases were complete, accurate, and allowable.
We determined that the Laboratory was in compliance with the standards governing CODIS activities with some exceptions. Specifically, we noted the following:
All DNA Laboratory personnel have access to the CODIS system terminal located in the offices of the CODIS State Administrator, including after normal work hours. The CODIS system is password-protected and each user has a unique password. T he Laboratory keeps the terminal in an office space behind a key‑lock door that is left unlocked 24 hours per day, affording all DNA analysts, including those who are not authorized CODIS users, unlimited access to the CODIS server. This fails to meet the NDIS requirement that access to the CODIS system be limited to the minimum number of personnel needed to complete the work. This unrestricted access to the office by non-CODIS users presents opportunities for inadvertent or deliberate misuse of the CODIS system or the alteration of information. The Laboratory took corrective action while we were on-site. The CODIS State Administrator now locks his door during non-duty hours. The key is only available to authorized CODIS users.
The Laboratory did not meet the NDIS standards requiring limited and controlled access. While we were touring the Laboratory, we noticed an exterior door was propped open and unattended. This exterior door is on the side of the building adjacent to the DNA labs. The DNA lab is locked so only DNA personnel may access the laboratory. While on-site, Laboratory management reminded Laboratory supervisors of security policies regarding exterior doors. Additionally, the Quality Assurance Manager issued new policy clarifying how exterior doors are to be manned and monitored while these doors are open. We believe that this new policy will ensure that exterior doors will be adequately manned and secured.
NDIS procedures require a laboratory to submit its external audit to the FBI within 30 days after receipt. However, the Laboratory audit report for 2006 was submitted 2 months after receipt, and the Laboratory had not requested an extension from the FBI.
We reviewed 10 NDIS matches and found that 1 case file did not contain sufficient documentation to verify that the investigator was notified in a timely manner of a convicted offender match.
We found that 94 of the 100 forensic samples we reviewed were complete, accurate, and allowable for upload to NDIS. We identified six case forensic samples that were unallowable for upload to NDIS because they were not forensic unknowns. Also, two additional unallowable profiles, which were not part of our sample, were identified as a result of our review. We confirmed that all eight profiles were removed from NDIS. Laboratory officials told us they recently began using the flow chart prepared by the FBI (entitled A Guide to Determining What is Allowable in the Forensic Index at NDIS) when assessing whether a profile is uploadable to NDIS.
We make one recommendation, which is discussed in detail in the Findings and Recommendations section of the report, to improve the Laboratory’s compliance with CODIS activities. Our audit scope and methodology are detailed in Appendix I of the report, and the audit criteria are detailed in Appendix II of the report.
We discussed the results of our audit with Laboratory officials and have included their comments in the report as applicable.
DNA, deoxyribonucleic acid, is genetic material found in almost all living cells that contains encoded information necessary for building and maintaining life. Approximately 99.9 percent of human DNA is the same for all people. The differences found in the remaining 0.1 percent allow scientists to develop a unique set of DNA identification characteristics (a DNA profile) for an individual by analyzing a specimen that contains DNA.
These standards were appended to the MOU as Appendix C - NDIS Procedure Manual. This manual is comprised of several operational procedures that provide specific instructions for laboratories to follow for procedures pertinent to NDIS. For our purposes, the NDIS participation requirements consist of the MOU and the NDIS operational procedures.